From ff3e1ae7d6c12574fca820fa4f24ceca1d8158e6 Mon Sep 17 00:00:00 2001
From: ruslantproductengine <ruslantproductengine@lindenlab.com>
Date: Tue, 4 Aug 2015 17:51:58 +0300
Subject: MAINT-5343 (Viewer sometimes crashes when updating a local tga
 texture when RLE or BMP compression is disabled -
 LLImageTGA::decodeTruecolorNonRle)

---
 indra/llimage/llimagebmp.cpp | 14 ++++++++++++++
 indra/llimage/llimagetga.cpp |  6 ++++++
 2 files changed, 20 insertions(+)

diff --git a/indra/llimage/llimagebmp.cpp b/indra/llimage/llimagebmp.cpp
index 8573fe0d91..a2ce2fee86 100755
--- a/indra/llimage/llimagebmp.cpp
+++ b/indra/llimage/llimagebmp.cpp
@@ -443,6 +443,10 @@ BOOL LLImageBMP::decodeColorMask32( U8* dst, U8* src )
 		mBitfieldMask[2] = 0x000000FF;
 	}
 
+	if (getWidth() * getHeight() * 4 > getDataSize() - mBitmapOffset)
+	{ //here we have situation when data size in src less than actually needed
+		return FALSE;
+	}
 
 	S32 src_row_span = getWidth() * 4;
 	S32 alignment_bytes = (3 * src_row_span) % 4;  // round up to nearest multiple of 4
@@ -476,6 +480,11 @@ BOOL LLImageBMP::decodeColorTable8( U8* dst, U8* src )
 	S32 src_row_span = getWidth() * 1;
 	S32 alignment_bytes = (3 * src_row_span) % 4;  // round up to nearest multiple of 4
 
+	if ((getWidth() * getHeight()) + getHeight() * alignment_bytes > getDataSize() - mBitmapOffset)
+	{ //here we have situation when data size in src less than actually needed
+		return FALSE;
+	}
+
 	for( S32 row = 0; row < getHeight(); row++ )
 	{
 		for( S32 col = 0; col < getWidth(); col++ )
@@ -501,6 +510,11 @@ BOOL LLImageBMP::decodeTruecolor24( U8* dst, U8* src )
 	S32 src_row_span = getWidth() * 3;
 	S32 alignment_bytes = (3 * src_row_span) % 4;  // round up to nearest multiple of 4
 
+	if ((getWidth() * getHeight() * 3) + getHeight() * alignment_bytes > getDataSize() - mBitmapOffset)
+	{ //here we have situation when data size in src less than actually needed
+		return FALSE;
+	}
+
 	for( S32 row = 0; row < getHeight(); row++ )
 	{
 		for( S32 col = 0; col < getWidth(); col++ )
diff --git a/indra/llimage/llimagetga.cpp b/indra/llimage/llimagetga.cpp
index 4eb8dc7440..d0ae105ba7 100755
--- a/indra/llimage/llimagetga.cpp
+++ b/indra/llimage/llimagetga.cpp
@@ -437,7 +437,13 @@ BOOL LLImageTGA::decodeTruecolorNonRle( LLImageRaw* raw_image, BOOL &alpha_opaqu
 	// Origin is the bottom left
 	U8* dst = raw_image->getData();
 	U8* src = getData() + mDataOffset;
+
 	S32 pixels = getWidth() * getHeight();
+	
+	if (pixels * (mIs15Bit ? 2 : getComponents()) > getDataSize() - mDataOffset)
+	{ //here we have situation when data size in src less than actually needed
+		return FALSE;
+	}
 
 	if (getComponents() == 4)
 	{
-- 
cgit v1.2.3